On Changing Password Guidance: A Good First Step From Microsoft

Passwords, as a security solution, have become untenable. Whereas 15 years ago you might only have needed to remember two passwords, your ISP or your work password, now we have a plethora of passwords to keep track of. Power utility websites, water utility websites, bank websites, online payment websites, Facebook, Instagram, Twitter, Pinterest or any number of other sites that have our information. The guidance has often been to make passwords complex, alphanumeric, contain special characters, be as long as possible, oh and make them easy to remember but don’t reuse passwords and never write them down.

That’s why I was heartened to see this recent guidance from Microsoft regarding some rethinking about passwords and how we create them. Take a moment to read it:

https://www.microsoft.com/en-us/research/wp-content/uploads/2016/06/Microsoft_Password_Guidance-1.pdf

Of note are the password guidance items for IT administrators that depart from conventional wisdom:

1.     Maintain an 8-character minimum length requirement (and longer is not necessarily better).

2.     Eliminate character-composition requirements.

3.     Eliminate mandatory periodic password resets for user accounts.

The paper explains the logic behind this guidance, but it’s worth noting that the data and rules around keeping accounts more secure are shifting. Secure platforms are no longer placing the onus entirely on the user to follow hard-set, complex rules. Instead, they recognize the challenge of trying to use a perfectly legitimate account easily while helping to keep it safe.

The paper also contains good guidance for end users to note activity on their accounts and enable two-factor authentication where possible.

I’m glad to see someone like Microsoft taking this step.

U.S. Regulatory outlook for 2017

Trying to predict the future

I don't want to bring up politics but this is the first U.S. election where cybersecurity had sustained, serious attention by the press and the candidates. 
Now that the election is over, will this focus mean we see a change in national cybersecurity policy? What changes might we see?


I've been reading the
COMMISSION ON ENHANCING NATIONAL CYBERSECURITY DECEMBER 1, 2016
REPORT ON SECURING AND GROWING THE DIGITAL ECONOMY  available at https://www.whitehouse.gov/sites/default/files/docs/cybersecurity_report.pdf to see what the future might hold. I imagine the themes in the document were drafted when the commission expected a different outcome in the presidential and congressional elections. 

Even so, some of these suggestions are likely to pass bipartisan muster. What is the Commission recommending that the new Administration and Congress do?


Clear guidance on cybersecurity standards. 


"The Commission recommends that The NIST Cybersecurity framework be adopted by Federal regulatory agencies or note exceptions to it for the entities under their purview." 

For agencies that haven't mandated security controls or frameworks, it may be easier for both the assessed and assessors to mandate the framework instead of creating their own rules from scratch. 

Metrics and reporting:

Wouldn't it be nice to be able to actually show costs, risks and benefits of your cybersecurity expenditures? Without lots of data over time, this ranges between speculation and educated guessing. It's difficult to ask senior management for new tools, hires or consultants on just your say-so. 
The Commission feels your pain. There's a request to gather metrics from volunteers, anonymize them, collate them to understand what works and what doesn't. 
And while that data sounds good, isn't that a little scary? What happens if you're the only organization that admits to their flaws? Is this an invitation to bad press, regulatory scrutiny or lawsuits when you disclose inadequate controls or bad practices?
Possibly not. The next recommendation is to incentivize information sharing. 


Liability limitations. 
The Commission has recommended liability limitations to incentivize information sharing as well as compliance with the NIST guidelines. 
"The government should extend additional
incentives [liability protections] to companies that have implemented cyber risk
management principles and demonstrate collaborative
engagement... Safe Harbors would be particularly appropriate to consider in the context of providing business certainty for companies that operate in regulated sectors"
If this comes to pass, this will likely convince many firms who have suffered a breach to come forward to obtain immunity. The reputational losses may be counteracted with a 'good citizen' spin in their marketing materials. 
I foresee regulatory agency safe harbors for disclosure occurring more quickly than statutory liability changes. Regulatory agencies' rule-making activities do not receive the press or public interest that legislation may garner. 
Passing absolute liability caps or preventing punitive damages  for self-disclosed breaches and framework compliance are a possible compromise to protect consumers and businesses alike. 


Threat sharing


Sharing retrospective cybersecurity metrics is interesting, but what about defenders fighting the good fight today? Imagine the advantages to share malware signatures, vulnerability information and possibly threat intelligence in real-time. 
Some protections for intellectual property and privacy may need to remain. Building the feeds are going to be a business opportunity for cybersecurity vendors, while disrupting older silo'd models of threat information. 


The Commission has longer term plans regarding specific technologies, which we'll be discussing in a subsequent blog post. 


What might this this mean to you?

  1. Odds are we're going to see some carrot and stick incentives to formalize IT and Security  operations. It may be time to take a look at the NIST Cybersecurity Framework and see what you can do right now and what you could do in a year. 
  2. Take some time from your busy schedule and talk with your peers in your industry. There may be opportunities to learn from each other without violating privacy or leaking trade secrets. It'll help to develop some intra-industry trust before sharing becomes strongly recommended. 

Reverse Engineering Firefox and Tor Targeted Payload

Reverse Engineering Firefox and Tor Targeted Payload

The Lotan research team is constantly seeking out new and novel memory corruption exploits to enhance our detection heuristics. This week, an exploit targeting Firefox and the Tor Browser was released, giving us a chance to exercise the capabilities of Lotan. 

LastPass and How to Respond to Zero Day Vulnerabilities

It’s nerve-racking to read that a product that your company relies upon has a critical zero day vulnerability. Do you scramble for a new solution, wait for a patch or just panic? Making important application decisions based on social-media rumblings isn't usually the best way to run an IT shop. In some ways, this is like driving down the road when your car starts making an unusual sound. It might not be time to consider buying a new car, but you do need to assess the situation.

Bulk ASLR Data Analysis

Bulk ASLR Data Analysis

Hello from the Lotan team at Leviathan!

We recently looked at a sample set of 80,000 crashdumps from a production environment and decided it was time to look at some data we have in aggregate. Lotan's core focus is detecting stage one attacks (shellcode) in crashed processes. To achieve this goal Lotan has to process the bulk of the data contained within a memory image. One of the most interesting components of these process images is the information about loaded modules from Windows processes.